Zero-Day Bug in Verisign & IaaS Services Such as Google, Amazon let Hackers to Register Malicious Domains
A critical zero-day vulnerability that affected Verisign and multiple IaaS services companies such as Google, Amazon and DeigitalOcean let attackers register t homograph domain names ( .com and .net).
Successfully register these Homograph domains looks like the same well-known domains, and subdomains used to perform social engineering attacks & insider attackers to the organization and it is similar to the IDN Homograph attack.
Researchers identified several homograph domains are active since 2017 with HTTPS certificate that mimics the various sectors domains incusing financial, internet shopping, technology, and other Fortune 100 sites.
Matt Hamilton, a researcher from Soluble identified that several Generic top-level domains (gTLDs) are possible to register using the Unicode Latin IPA Extension character, and also he was able to register the following Homograph domains.
am?zon.com**
ch?se.com
s?lesforce.com
gm?il.com
?pp?e.com
eb?y.com
gstatic.com
ste?mpowered.com
theguardian.com
theverge.com
washingtonpost.com
p?yp??.com
w?lm?rt.com
w?s?bisys.com
y?hoo.com
c?oudf?are.com
de??.com
gm?i?.com
googleapis.com
huffingtonpost.com
instagram.com
microsofton?ine.com
?m?zon?ws.com**
?ndroid.com
netf?ix.com
nvidi?.com
goog?e.com
The above registered homographic domains are exactly similar to the respective original domains with the use of Unicode Latin IPA.
Similarly, the researcher tested nearly 300 prominent domains and the vulnerability believed to be only used in highly-targeted social engineering campaigns that will install malware, and steal sensitive data.
According to the Soluble report ” It appears that Verisign and other providers have been unaware of the homoglyphs within the Unicode Latin IPA Extension character set”
Basically, Verisign prevents users to register the domains that used mixed scripts such as “g??gle.com” using Cyrillic “?”s .
But due to the Zero-day bug, it was possible to register domains with a mix of Unicode and Latin characters as long as the Unicode characters were themselves Latin.
“Registrars, like Verisign, explicitly enforce anti-homograph measures (disallowing mixed-scripts) because they don’t want lookalike domains on their gTLDs. Public services that exist on a shared root, such as “s3.amazonaws.com”, “storage.googleapis.com”, or other services which allow users to create arbitrarily-named subdomains, should apply these same restrictions–they are effectively acting as registrars for those roots in the same way Verisign does for “.com”. Researcher said.
This bug affected not only VeriSign gTLDs but, any TLD which allows Latin IPA characters is likely affected.
This vulnerability consider as Zero-day since multiple instances of HTTPS certificate logs through Certificate Transparency have been identified, also one “unofficial” JavaScript library hosted at a prominent domain.
This post Zero-Day Bug in Verisign & IaaS Services Such as Google, Amazon let Hackers to Register Malicious Domains originally appeared on GB Hackers.
